On August 5, 2015, in Schneider v. MobileIron, Inc., et al, a plaintiffs law firm filed a purported class action lawsuit on behalf of a single stockholder asserting claims under Section 11 of the Securities Act, against MobileIron and others. The suit alleges that in the May 2014 timeframe, a “hacker compromised the MobileIron administrative server” and was able to wipe devices held by employees of Aviva, a British insurance company and MobileIron customer.
We believe that this recent lawsuit is without merit and intend to defend against it aggressively.
Here’s what happened. A systems integrator in the UK, Esselar, was providing a managed service using MobileIron to mutual customer Aviva. Esselar's support staff had access to the MobileIron IT administrative console in order to manage the MobileIron service on behalf of Aviva. A former senior technical Esselar employee gained access to Esselar’s system by using a username/password that had not been changed after his departure, and was able to send a message to and then wipe the Aviva employees’ devices.
The incident did not occur as a result of a vulnerability in MobileIron’s software or systems. It was the result of poor internal password management by Esselar, which Esselar informed us was subsequently addressed. On June 23, 2014, we issued a public statement regarding the incident explaining that this was not a MobileIron vulnerability: https://www.mobileiron.com/en/blog/mobileiron-statement-schneider-v-mobileiron-lawsuit. The former Esselar employee was later criminally charged and pleaded guilty. Story here.
For these reasons and many others, MobileIron believes the allegations in the complaint are inaccurate and meritless. MobileIron’s policy is not to discuss pending litigation but this was too egregious to let pass without comment.